Administrator Tools

This topic describes administration tools and scripts that are included with your FortiSIEM deployment, along with information on where to find and how to use them.

Tool Description How to Use It
listElasticEventAttributes.sh

listElasticEventAttributes gathers Elasticsearch event attributes for the number of days specified with the days value. This data is provided in a .CSV file that can be used to prepare a custom Elastic Search Event Attribute Template file. This file can be uploaded to replace the default Event Attribute template, potentially reducing the number of Event Attributes that Elasticsearch needs to search by default. For information on where to upload the custom file, see Configuring a Native, AWS, or Cloud Elasticsearch database.

Note: You can change an Event Attribute type per your requirements if the default type is not suitable, but you will need to upload the custom Event Attribute template afterward.

Located in /opt/phoenix/config/javaQueryServer/.

Usage

[root@FortiSIEM]#listElasticEventAtributes.sh destURL httpPort(9200) [user passwd] days socketTimeoutInMinute outputFile

destURL - The destination URL, normally the Elasticsearch URL.

httpPort - The port number used to connect to Elasticsearch.

user and password - Use your login username and password to access Elasticsesarch.

days - The number of days you want this custom configuration to be applied, starting when the custom template is added to your Elasticsearch database configuration.

socketTimeoutInMinute- The maximum time out period value in minutes for the socket .

outputFile - The name you wish to name your output file.

Example: [root@FortiSIEM javaQueryServer# ./listElasticEventAttributes.sh https://172.30.56.180 9200 "username" "password" 3 10 /tmp/1.csv

phTools phTools is a simple tool for starting and stopping backend processes, and for getting change log information. When you upgrade your deployment, for example, you would use phTools to stop all backend processes.

Log in to the FortiSIEM host machine as root.

Usage

[root@FortiSIEM]#phtools

Commands: --changelog, --start, --stop, --stats

Target: ALL

--change-log also supports

ERROR, TRACE, INFO,DEBUG, CRITICAL

TestESSplitter Run the TestESSplitter tool from a Supervisor or Worker node to export events from ElasticSearch to FortiSIEM eventDB format.

See TestESSplitter in Exporting Events to Files.

TestSegmentReader Test Segment Reader is used to quickly read data segments in the eventdb through the command line. You can use this to manually inspect data integrity and parsed event attributes.

Log in to the FortiSIEM host machine as root.

Usage

[root@FortiSIEM]#TestSegmentReader <segmentDir>

phExportESEvent Used to export event information from FortiSIEM Elasticsearch events to a CSV file. See phExportESEvent in Exporting Events to Files.
phExportEvent Used to export event information from FortiSIEM eventDB or Archive location to a CSV file.

A script to selectively delete event data per org and time interval
See phExportEvent in Exporting Events to Files.
TestDBPurger Use Only to Delete Data for a Single Date: You should only use this script to delete data for a single date and organization. If you try to delete data for multiple dates, the script will fail. You can find the script at /opt/phoenix/bin/TestDBPurger. Run it in terminal mode and follow the instructions.